[cameronh90]

Speaking as someone involved in this, Shadow IT is a nightmare.

Users will sign up for Dropbox accounts, share the credentials with others in the company, disable MFA and them load it full of confidential data. Users will do things like using personal email addresses for apps that become critical to business processes, then quit without transferring the account.

Additionally as a European company, we are bound by the GDPR to know where confidential data is being stored and processed, to have assessed any third parties and put them in our data processing agreements.

Consequently we end up in this situation of having to be the bad guys, blocking otherwise useful sites with proxies/CASBs to save users from doing dangerous things.

Web app developers could do a lot to help security departments but I suspect they intentionally don't because they perceive that it would harm adoption.

[nicoburns]

In my experience users generally do this when their computers are locked down and IT departments are not responsive enough to meet their needs in a timely fashion. It's a paradoxical case of more restrictions making things less secure.

[cameronh90]

Unfortunately user expectations tend to be that they want the account set up immediately, and anything beyond that and someone will try and circumvent it.

It doesn't help that SaaS companies tend to put the things required for security (OIDC, mandatory 2FA, organisation support, sharing restrictions) on the expensive enterprise plans, which mean that IT need to go back to the user and say if they want to use it, they need budgetary approval for the $15k/month version. This either kills it (and makes them sneakily sign up for the personal one) or means it won't get approved until their departments next quarterly budget meeting.

While I understand that SaaS companies want to find unique areas they can use to upsell enterprise customers, I feel pretty strongly about basic security features being used as that leverage. Especially as there are many SMEs like us that work in a regulatorily complex environment but don't necessarily have the budget for the top tier just to get that security (UK finance, so we have GDPR/ePD/PECR as well as PCI-DSS, MIFID II, POCA, and a bunch of other FCA regulations to comply with).

Ultimately this means we end up saying no to users more than we say yes, which as you say, frustrates them and pushes them into shadow IT. Then we need to deploy proxies/CASB to catch users trying to use shadow IT and blocking sites.

[Silhouette]

Under some circumstances, I sympathise a lot with users who are trying to do their jobs, identify a tool that will help them to do their jobs, and then get told "no" by IT, particularly if IT is being obstructive for no apparent reason except throwing its weight around.

However, when you're talking about something like external hosting and transferring data outside of your organisation, I think there is a line that has to be drawn, partly just as a responsible corporate citizen and partly because of the potential liability when laws and regulations such as those you mentioned attempt to mandate that sort of responsible behaviour.

In an obviously sensitive field like finance, healthcare or law, bypassing the rules and setting up shadow IT really should be a serious disciplinary matter, possibly even a firing offence. It is, after all, potentially causing the company to break the law, not to mention creating severe security and privacy risks, and the damage that can be done by a small group or even a single individual can be catastrophic.

[jrochkind1]

Yup. And then IT departments will use users doing it as an excuse for further lockdowns, you can't trust those users after all, look what they do. Vicious circle of mistrust.

[ldiracdelta]

Some IT departments forget they serve their users and aren't their jailers.

[laurent92]

I have only two employees and it’s already a nightmare. Notes-taking apps outside of our intranet, people mixing their Facebook cookies with their work (I specifically say they must have two separate Chrome profiles during onboarding), infinite number of Chrome extensions which means any extension can harvest their passwords to any site...

Unless I become the bad guy, it feels like they are trying to inventory every possible way to leak our GDPR data. And this is how you get micromanaged or fired.

[DoofusOfDeath]

Would this be entirely mitigated by SaaS companies offering 100%-on-prem versions? Or would there still be GDPR issues even then?

[cameronh90]

On-prem does tend to have fewer GDPR/security concerns, but a SaaS is fine provided it is adequately controlled, and usually quicker to set up and lower maintenance cost.

Relatively simple things that SaaS companies could do to make our lives easier include:

* Ability to "claim" email domains to corporate ownership - that is, if any user tries to register with one of our email domains, they are automatically added to the corporate account with appropriate sharing and security controls (to be fair to Trello, I believe they do this - as do Apple, Google, Microsoft and a few others)

* Making OIDC/SAML/SSO a standard option rather than something you have to pay for the super-duper $15k+/month enterprise plan that you can only get after weeks of conversations with sales (if anyone from Twilio happens to read this...)

* Ensuring there is "organisation" support - with security/billing admins that can manage the account, set mandatory 2FA.

* Even just something in the sign up flows where it asks if they're setting up a business account, and if so, asks for their security/IT contact and pops them an email. Most users aren't being intentionally malicious, just they aren't aware we'd like to know (despite repeated communication that they tend to ignore!).

Long term, I think we need better industry-wide solutions to Shadow IT that don't involve invasive proxies. I haven't fully thought through what that would look like, but something like a Do-Not-Track header, but to disable users setting up accounts. Or TXT records on DNS hosts which would cause any attempt to set up an account with that email to automatically fire off to an admin user for approval, etc... See how Google forces mandatory safe-search for schools: https://support.google.com/websearch/answer/186669?hl=en